The OAuth2 authorization model permits a client to engage in a one-time authentication. From this authentication, an access token associated with a set of specifically requested authorization scopes may be obtained. However, when the resource services a client wishes to consume span multiple disjoint security domains (with similarly disjoint authorization scopes), a client's use of a single access token for all requests would effectively expose authorization credentials across the boundaries of those security domains. That is, security is potentially compromised when the client delivers to a resource service in security domain A, an access token that could be used to make a request on a resource service in security domain B.
The OAuth2 specification does not provide for a means to request multiple access tokens from a single authentication. Rather, since the authorization code and implicit grant flows require authentication for each access token, a client must authenticate multiple times, likely with direct user interaction, in order to obtain an access token for each security domain it intends to engage with. This is both inefficient and has a significant negative impact on user experience, as the user must authorize a second token request and may need to enter their credentials multiple times.